HIPAA Frequently Asked Questions

What is HIPAA and how does it apply to research?

The Health Insurance Portability and Accountability Act (HIPAA) establishes conditions
under which protected health information (PHI) may be used or disclosed by covered
entities for research purposes [45 CFR 164.501, 164.508(f), 164.512(i) ]. The Privacy
Rule outlined in HIPAA defines the means by which individuals/human research subjects
are informed of how medical information about them will be used or disclosed, and
their rights with regard to gaining access to information about them when such information
is held by covered entities. In the course of conducting research, researchers may
create, use, and/or disclose individually identifiable health information. Under the
Privacy Rule, covered entities are permitted to use and disclose PHI for research
with individual authorization, or without individual authorization under limited circumstances.

The Privacy Rule permits researchers to use and disclose PHI for research when participants
authorize the use or disclosure of information about themselves. Typically, a research
participant's authorization will be sought for clinical trials and some research involving
records. In these instances, specific elements must be included in the informed consent
form (see UTC IRB Policy). There also are four circumstances that allow researchers
to use and disclose PHI for research purposes without authorization by research subjects.
These are:

HIPAA regulations are quite complex. Researchers using health information should
consult the full UTC IRB policy for additional guidance.

Do HIPAA regulations apply to data sets with health information?

Yes. Regulations permit covered entities (usually the agency providing the data)
to disclosure health information for research purposes without authorization by the
research subject if the use or disclosure involves a "limited data set" and the covered
entity enters into a data use agreement with the researcher. A "limited data set"
is protected health information that excludes the following direct identifiers of
the individual or of relatives, employers, or household members of the individual
subjects:

Investigators may use a limited data set for research without subject authorization
if they have completed a Limited Data Use Agreement with the entity releasing the
data. Investigators in this situation should complete a Form K and email the Form
and the Limited Data Use Agreement to the IRB Chair. (Normally, the entity releasing
the data should provide the Limited Data Use Agreement; however, if the entity does
not have such a form the investigator should contact the IRB Chair for examples of
acceptable forms.).

PHI can be released freely if it does not contain "individually identifiable information"
as defined in the section above. PHI is not individually identified if the subject
is not identified, directly or indirectly, and if the subject has no reasonable basis
to believe that the information can be used to identify them.

What if you collected data that includes protected health information (PHI)?

If a investigator maintains a database containing PHI, then the investigator has an
obligation to insure that the use and disclosure of PHI is in compliance with federal
guidelines and UTC policy. The investigator is responsible for:

Maintaining applicable security for the database, including physical security and
access control;

Control and manage the access, use and disclosure of PHI, including verifying appropriate
IRB approvals and patient authorizations; and

Any PHI in the database used for treatment or payment purposes must be a duplicate
and the original must be included in the patient's medical record.

Databases created prior to April 14, 2003 are grandfathered in and do not have to
meet the Privacy Act policies. Studies involving subjects that have enrolled prior
to April 14, 2003 will not be required to re-consent. Investigators may continue to
collect and use data gathered from these subjects and no new documentation is required.

If my research involves protected health information (PHI), what forms should I submit
to the IRB?

Complete a Form H to determine which forms should be completed and submitted to the IRB. If you have
additional questions, contact instrb@utc.edu.

Covered Entities

Certain organizations and individuals are considered "covered entitities" in the Administrative
Simplification regulations adopted by HHS under HIPAA, and must comply with special
requirements. For guidance on how to determine whether an organization or individual
is considered a covered entity, please see the Covered Entity Chart.